Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-1315

Support autosigning with a ca certificate bundle file



    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • SERVER 5.1.0
    • None
    • Froyo
    • 3
    • Platform Core 2017-09-05, Server 2017-07-25, Platform Core 2017-08-08, Platform Core 2017-08-22
    • Bug Fix
    • Automate


      Currently, the CA code returns the contents of $cadir/ca_crt.pem to agents who hit /v1/certificate/ca, which they do in order to bootstrap a trust relationship. The agents hit this endpoint if there isn't a localcacert on their filesystem, save the results to $ssldir/certs/ca.pem, and use the returned certificate to validate subsequent server connections.

      While the agents will happily use a certificate chain at their localcacert location to validate server connections, and puppet cert generate hostname.dom.ain on the master will select and use the correct CA cert out of a chain in ca_crt.pem, the autosigning code errors when it encounters such a file:

      Error: Could not request certificate: Error 500 on SERVER: Internal Server Error: 
      java.lang.IllegalArgumentException: The PEM stream must contain exactly 1 certificate

      I'm open to implementation options, either to permit >1 cert in the file (as puppet cert generate seems to do just fine, presumably by matching the private key to one of the certs in the bundle?) or by allowing a separate file to be returned by the /certificate/ca endpoint which is disconnected from the actual signing cert file.


        Issue Links



              Unassigned Unassigned
              eric.sorenson Eric Sorenson
              2 Vote for this issue
              8 Start watching this issue



                Zendesk Support